[#MDEV-20733] Allow roles to impose limits

[MDEV-20733] Allow roles to impose limits Created: 2019-10-03 Updated: 2019-10-06 Resolved: 2019-10-06
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System
Fix Version/s:	N/A

Type:

Task

Priority:

Minor

Reporter:

Assen Totin (Inactive)

Assignee:

Sergei Golubchik

Resolution:

Duplicate

Votes:

Labels:

None

Issue Links:

Duplicate
is duplicated by	MDEV-17602	Allow max_statement_time to be assign...	Open
is duplicated by	~~MDEV-20405~~	It should be possible to preset resou...	Closed

Description

This feature requests comes on behalf of a customer.

It seems that currently roles allow one to only set permissions, but not to impose usage limits (like max connections, max queries per unit of time etc.). It would be quite helpful to have this capabilities also in roles, so that RBAC may become a truly powerful; without this, one still has to keep separate user accounts just to impose usage limits.

On the question of possible conflict between limits defined in a role and for the user himself, there are probably several options to chose from:

Role always takes precedence.
Role and user are superimposed and higher values take precedence.
Role and user are superimposed and lower values take precedence.

On the question what to do with the currently opened connections, I guess we should keep it simple and not try to be retroactive, i.e. if the upon assumption of a role user gets lower max allowed connections that he currently has open, he should simply not be allowed to open any new ones. Similarly, any time-based limits (queries per hour etc.) should only be imposed forward in time, no need to try and look into what was before the role was assumed etc.

Generated at Thu Feb 08 09:01:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-20733] Allow roles to impose limits Created: 2019-10-03 Updated: 2019-10-06 Resolved: 2019-10-06